On 18/01/23 16:38, Max Nikulin wrote:
On 18/01/2023 03:52, Richard Hector wrote:
On 17/01/23 23:52, Max Nikulin wrote:
lxc.idmap = u 0 100000 1000
lxc.idmap = u 1000 1000 1
lxc.mount.entry = /home/richard/sitename/doc_root
srv/sitename/doc_root none bind,optional,create=dir
My goal is not to map container users to host users, but to allow a
container user (human user) to access a directory as another container
user (non-human owner of files). This should also be doable for
multiple human users for the same site.
Do you mean mapping several users (human and service ones) from a single
container to the same host UID? The approach I suggested works for 1:1
mapping. Another technique is group permissions and ACLs, but I would
not call it straightforward. A user may create a file that belongs to
wrong group or inaccessible by another user.
I'll use more detail :-)
I have a Wordpress site. The directory /srv/sitename/doc_root, and most
of the directories under it, are owned by user 'sitename'.
PHP runs as 'sitename-run', which has access (via group 'sitename') to
read all of that, but not write it. Some subdirectories, eg
.../doc_root/wp-content/uploads, are group-writeable so that it can save
things there.
An authorised site maintainer, eg me ('richard') (but there may be any
number of others), needs to be able to write under /srv/sitename, so I
use bindfs to mount /srv/sitename under /home/richard/sitename, which
presents it as owned by me, and translates the ownership back to
'sitename' when I write to it. So each human user sees the site as owned
by them, but it's all mapped to 'sitename' on the fly.
These users I guess map to host users, but I'm not particularly
interested in that ... actually I should care more, because it actually
maps to a real but unrelated user id on the host, which could have bad
implications - but I think that's a separate issue.
I'm not ignoring the rest of your message; I'll look at that separately :-)
Cheers,
Richard
